GitLab

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..to delete neighbor proxy only:

1) in old primary node during instance migrate/failover
2) in primary node during instance shutdown/remove

Please note that this is done also by kvm-ifdown-custom.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and don't count on tags, etc. This should work on a best effort
basis.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Ganeti exports node names with their FQDN. Use hostname -f
to compare the exported variables and decide whether to execute
the hook or not.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Use $oldchain instead of $chain.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Depending on each rule reason we add a relevant comment prefixed
with "snf-network_".

Currently we have three reasons: firewall, proxy-arp, extra.

Additionally save all rules under /etc/iptables/ at the end of
ifup-extra script. This can be used to restore some rules after
reloading ferm.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and use upper case for all acronyms (NIC, TAP, DNS, SSH, RDP).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Remove further info and implementation details of ip-less-routed
and private-filtered setups from main page. Introduce routed and
ebtables page to include all this info.

Add /etc/network/interfaces examples for ip-less-routed
configuration.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and add interfaces, vmrouter ifup and ifdown scripts, and
prv-net-helper.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Use addresses reserved for documentation in interfaces example file.

Mention two setups:

 * routed setup
    - external router
    - nodes without IP inside routed network
    - proxy ARP

 * bridged setup
    - extra common interfaces on all nodes
    - one common bridge on separate interface
    - node with internet access is the gateway and does NAT
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

- ifup-extra
- firewall
- nfdhcpd
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

This ferm defines 3 extra chains in filter table (for both
ipv4 and ipv6): protected, limited, unprotected.

The first drops incoming new connections, allows dns replies and pings.
The seconds allows ssh, and rdp ports.
The third just accepts the packet.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Just like routed setups we parse instance's tags and search
for a specific suffix (chain). If found we add an ebtables
rule so that outgoing traffic to tap will go through this
chain.

Note that those chains should be created by admin first.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Note that currently this is executed only during
OP_INSTANCE_SET_PARAMS.

Before using it we should query_dns().
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

GANETI_INSTANCE_NAME is available only in hooks. Library uses
INSTANCE so we should set it as soon as possible.

Hooks are not aware of INTERFACE. Thus get_info() will find
INDEV and ebtables chains only during NIC configuration scripts.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

* Set GANETI_INSTANCE_NAME
* Set TABLE, INDEV
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

This should do any cleanup needed related to the interface
that is going down.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Package will create a symlink until this gets renamed in
upstream Ganeti as well.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and remove any unused rules (comments) related to ebtables
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

It gets the exported environment and calculates all needed vars for
a specific interface. Use this function early in scripts and as
soon as you extract each interface info in hooks.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

- Use NETWORK_SUBNET6 since this is exported by Ganeti and not
  just SUBNET6
- All logging in helper function
- Do not send GARP or delete neighbor proxy if desired vars are not
  set
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

* Factor out GARP and neighbor proxy action from setup_routed*
* Invoke send_garp in kvm-ifup
* Invoke delete_neighbor_proxy in snf-network-hook
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

arpsend comes along with ndsend with vzctl package.
We send only one packet in order not to delay ifup script.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..to snf-network-dnshook and snf-network-hook correspondingly.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>